Helpful ReplyHot!FortiOS 5.6.9 is out!

Page: < 12 Showing page 2 of 2
Author
XavierMP
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/04/16 02:50:49
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/05/29 09:35:16 (permalink)
0
It's not the same CVE:
CVE-2018-13382 vs CVE-2019-5586
FG-IR-18-389 vs FG-IR-19-034
#21
Frosty
Gold Member
  • Total Posts : 173
  • Scores: 11
  • Reward points: 0
  • Joined: 2010/11/03 15:53:40
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/05/29 18:31:10 (permalink)
0
Can someone clarify something for me?  I've read through all these CVEs and the FG links above.  They all seem to be vulnerabilities in the SSL VPN Web Portal only.  Have I understood that correctly?  If we're only using FortiClient connections, is there any urgency to upgrade?
#22
Kenundrum
Gold Member
  • Total Posts : 142
  • Scores: 15
  • Reward points: 0
  • Joined: 2008/05/15 10:25:50
  • Location: Rhode Island, US
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/05/29 19:03:47 (permalink)
0
Stephen Frost
  If we're only using FortiClient connections, is there any urgency to upgrade?

Unfortunately, based on the sparse details, if you're using Forticlient connections to an SSLVPN, then you are vulnerable. If you are using Forticlient exclusively for ipsec tunnels, then you can use the workaround and disable sslvpn altogether.
The nature of the vulnerabilities appear to be that an unauthenticated user can send http requests that perform unintended/unauthorized actions. If you are using SSLVPN at all, it must respond to http requests by its nature and it won't matter if they are coming from a browser or from a forticlient.
The advisory is very light on details and the CVE entries have not been updated. It's hard to know for sure, so it's best to assume you are susceptible.
Again- the silver lining is that this appears to be relatively obscure and does not appear to completely compromise the system. However the one about changing a user password can likely be combined with some other issue to really cause trouble on the receiving end.

NSE4
Some FGT500Es, 500Ds, 60Ds at work
FWF60E, FWF80CM at home
#23
Frosty
Gold Member
  • Total Posts : 173
  • Scores: 11
  • Reward points: 0
  • Joined: 2010/11/03 15:53:40
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/05/29 19:30:37 (permalink)
0
Thanks for the reply.  Yeah, that's what I was hoping to avoid, but I might need to upgrade right away.  Damn.  I'm heading off on leave from next week too, so I don't want to risk introducing any stability issues by doing a major firmware upgrade just before I go.
#24
Rami
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/02 23:21:26
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/06/02 23:24:44 (permalink)
0
Hello ,
I am currently at 5.6.8 , I have a valid upgrade path to 5.6.9 but as I currently understand that this version is also vulnerable , I only have the option to upgrade to 6.0.0/6.0.1/6.0.2 and 3 of them with invalid upgrade path
I have no other firmware listed than the 6.0.0-6.0.2
 
 
Should I go to 5.6.9 inorder to be able to upgrade to 6.0.5?
post edited by Rami - 2019/06/02 23:30:11
#25
Rami
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/02 23:21:26
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/06/03 04:45:19 (permalink)
0
Upgrading to 5.6.9 gave me the option to upgrade to 6.0.3 but still invalid upgrade path.
6.0.4 and 6.0.5 I can't see both of them.
#26
gbagita
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/15 04:59:50
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/06/03 07:13:21 (permalink)
0
rojekj
Beware, as this release has a major bug in SSL VPN. When uer is in multiple groups that grants different access in SSL VPN, only the first group is working. For example:
User x is in group vpn_a, and vpn_b, group vpn_a grants access to 1.1.1.1 and group vpn_b grants access to 2.2.2.2. After upgrading to 5.6.9, user can no longer access 2.2.2.2. After removing him from vpn_a group he can access 2.2.2.2 again.
 
Once again - our VPN gateway is broken after upgrade.
When it will be fixed? In 6 months? or 7? So I must live with vulnerable VPN till then?
Seriously, I don't have words for fortinets' QA. Because it does not exist!




I can confirm this. We have the same problem. Don't  use this version of FortiOS, when you have have rules based on LDAP groups, and where one user is a member of two or more different groups!
#27
fgtenterprise
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/19 07:32:55
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/06/04 07:23:13 (permalink)
0
Why was this not in the release notes?  Painful.
 
Opening ticket. :/
#28
lubyou
Bronze Member
  • Total Posts : 25
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/01/05 00:57:21
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/06/09 05:47:04 (permalink)
0
This seems to be broken is in all versions after 5.6.8, at least I was able to reproduce it on 5.6.9, 6.0.5, and 6.2.0.
 
This is a huge issue, because now we have the choice between being vulnerable to the various CVE's or semi/non-working SSL VPN's.
 
Major annoyance! QA seems to be non-existent these days!
#29
FortiOSman
Bronze Member
  • Total Posts : 36
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/08/03 10:14:57
  • Status: offline
Re: FortiOS 5.6.9 is out! 2019/08/05 09:09:14 (permalink)
0
5.6.10 was just released. Can anyone confirm if it resolves the SSL VPN issue? I'm thinking it might be 542706. 
 
Bug ID Description
515370 SSL VPN access denied if address object added after group object in firewall policy
540328 SSL VPN web mode accessing internal server getting ERR_EMPTY_RESPONSE in browsers.
542706 With groups and its users in different SSL VPN policies and accessing resources via web, only user based policies are processed.
#30
Page: < 12 Showing page 2 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5